MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c82a55fdd3caeb95db17754e3ba270ec93a7eb3c9997f9f9c6f02de0e17bacec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Tofsee


Vendor detections: 17


Intelligence 17 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c82a55fdd3caeb95db17754e3ba270ec93a7eb3c9997f9f9c6f02de0e17bacec
SHA3-384 hash: c0120b1b998c7ab4fac09427cc634b18cc07737972e493d0532d383b5a95cb66e3391319a6392bd79d6b3e9ac9c8aff0
SHA1 hash: 5d68410afdd470c5d076b6de46c3b2eeee953be1
MD5 hash: 78cc2004a61a5f5bd968bc7449a6e41d
humanhash: crazy-west-victor-carolina
File name:HEUR-Trojan.Win32.Chapak.gen-c82a55fdd3caeb95.exe
Download: download sample
Signature Tofsee
Create hunting rule
File size:1'577'875 bytes
First seen:2023-02-08 13:00:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 49152:EgSqM6bpcBJT+tFgYlGiFKtFHbo1kEJwQ/oW1vAaK:Jq7v7FdEJw8oaoJ
TLSH T1447533427CEA01BBEC71C5B09B1E03926A6E6DF1512A135F63A11F18B9736A0D207F97
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe Tofsee


Avatar
abuse_ch
Tofsee C2:
103.133.111.182:44677

Intelligence

File Origin
# of uploads :
1
# of downloads :
204
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
socelars
Create hunting rule
ID:
1
File name:
HEUR-Trojan.Win32.Chapak.gen-c82a55fdd3caeb95.exe
Verdict:
Malicious activity
Analysis date:
2023-02-08 13:05:04 UTC
Tags:
evasion trojan socelars stealer loader smoke rat redline
Link:
https://app.any.run/tasks/6d95a2c5-ce98-4ca4-990c-41fd0e308c3a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/361968/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Packed.SmokeLoader-9873637-1
Create hunting rule

Win.Dropper.Chapak-9884592-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Moving a recently created file
Running batch commands
Sending a custom TCP request
DNS request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending an HTTP GET request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Sending an HTTP POST request
Reading critical registry keys
Creating a process with a hidden window
Query of malicious DNS domain
Blocking the Windows Defender launch
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Sending an HTTP POST request to an infection source
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/66537/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
azorult barys mokes overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63e39d0f447edb203a034eaa/reports/6326137c-0f5d-476d-bfdc-e475d0c9d956/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c82a55fdd3caeb95db17754e3ba270ec93a7eb3c9997f9f9c6f02de0e17bacec
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/db730ffc-8b74-449b-b37a-c8bb2f96e6fa
Result
Threat name:
Amadey, Fabookie, Nymaim, PrivateLoader,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1168788
Signature
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
DLL reload attack detected
Drops PE files to the document folder of the user
Found C&C like URL pattern
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has a writeable .text section
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Sample uses process hollowing technique
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected Fabookie
Yara detected Nymaim
Yara detected PrivateLoader
Yara detected Raccoon Stealer v2
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Tofsee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 801568 Sample: HEUR-Trojan.Win32.Chapak.ge... Startdate: 08/02/2023 Architecture: WINDOWS Score: 100 155 45.12.253.98 CMCSUS Germany 2->155 157 xv.yxzgamen.com 2->157 159 7 other IPs or domains 2->159 217 Snort IDS alert for network traffic 2->217 219 Multi AV Scanner detection for domain / URL 2->219 221 Malicious sample detected (through community Yara rule) 2->221 223 24 other signatures 2->223 13 HEUR-Trojan.Win32.Chapak.gen-c82a55fdd3caeb95.exe 10 2->13         started        16 csdudvu 2->16         started        19 svchost.exe 2->19         started        21 8 other processes 2->21 signatures3 process4 file5 137 C:\Users\user\AppData\...\setup_installer.exe, PE32 13->137 dropped 23 setup_installer.exe 10 13->23         started        185 Multi AV Scanner detection for dropped file 16->185 187 DLL reload attack detected 16->187 189 Detected unpacking (changes PE section rights) 16->189 193 4 other signatures 16->193 191 Changes security center settings (notifications, updates, antivirus, firewall) 19->191 27 MpCmdRun.exe 19->27         started        29 WerFault.exe 21->29         started        signatures6 process7 file8 129 C:\Users\user\AppData\...\setup_install.exe, PE32 23->129 dropped 131 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 23->131 dropped 133 C:\Users\user\AppData\...\libstdc++-6.dll, PE32 23->133 dropped 135 5 other files (4 malicious) 23->135 dropped 253 Multi AV Scanner detection for dropped file 23->253 31 setup_install.exe 1 23->31         started        36 conhost.exe 27->36         started        signatures9 process10 dnsIp11 181 127.0.0.1 unknown unknown 31->181 183 marisana.xyz 31->183 95 C:\Users\user~1\...\karotima_2.exe (copy), PE32 31->95 dropped 97 C:\Users\user~1\...\karotima_1.exe (copy), PE32 31->97 dropped 211 Multi AV Scanner detection for dropped file 31->211 213 Detected unpacking (changes PE section rights) 31->213 215 Performs DNS queries to domains with low reputation 31->215 38 cmd.exe 1 31->38         started        40 cmd.exe 1 31->40         started        42 WerFault.exe 9 31->42         started        44 conhost.exe 31->44         started        file12 signatures13 process14 process15 46 karotima_1.exe 4 46 38->46         started        51 karotima_2.exe 1 40->51         started        dnsIp16 175 212.193.30.115, 49701, 80 SPD-NETTR Russian Federation 46->175 177 136.144.41.201, 80 WORLDSTREAMNL Netherlands 46->177 179 15 other IPs or domains 46->179 139 C:\Users\...\zCAaKwP4wyyxBl2LwKY557UT.exe, PE32 46->139 dropped 141 C:\Users\...\wZTdVB04VDLd4WixwakmLGUU.exe, PE32 46->141 dropped 143 C:\Users\...\jHbuXkftOvzzBzM_paVSAap5.exe, PE32 46->143 dropped 147 17 other malicious files 46->147 dropped 195 Drops PE files to the document folder of the user 46->195 197 May check the online IP address of the machine 46->197 199 Creates HTML files with .exe extension (expired dropper behavior) 46->199 201 Disable Windows Defender real time protection (registry) 46->201 53 2eUpCYhelCtOUrtoRouYN71w.exe 46->53         started        57 3MgdKX9qORskY0zNRaMBX57X.exe 46->57         started        60 TqEbwiW9IvaMShK8We7clVdJ.exe 46->60         started        64 10 other processes 46->64 145 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 51->145 dropped 203 DLL reload attack detected 51->203 205 Detected unpacking (changes PE section rights) 51->205 207 Renames NTDLL to bypass HIPS 51->207 209 3 other signatures 51->209 62 explorer.exe 51->62 injected file17 signatures18 process19 dnsIp20 117 C:\Users\...\2eUpCYhelCtOUrtoRouYN71w.tmp, PE32 53->117 dropped 227 Multi AV Scanner detection for dropped file 53->227 229 Obfuscated command line found 53->229 66 2eUpCYhelCtOUrtoRouYN71w.tmp 53->66         started        169 2 other IPs or domains 57->169 231 Detected unpacking (changes PE section rights) 57->231 233 Query firmware table information (likely to detect VMs) 57->233 235 May check the online IP address of the machine 57->235 247 5 other signatures 57->247 249 4 other signatures 60->249 161 finbelportal.com 103.224.182.242 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 62->161 163 11490.searchmagnified.com 199.191.50.190 CONFLUENCE-NETWORK-INCVG Virgin Islands (BRITISH) 62->163 171 5 other IPs or domains 62->171 119 C:\Users\user\AppData\Roaming\csdudvu, PE32 62->119 dropped 237 System process connects to network (likely due to code injection or exploit) 62->237 239 Benign windows process drops PE files 62->239 241 Hides that the sample has been downloaded from the Internet (zone.identifier) 62->241 69 rundll32.exe 62->69         started        165 103.133.111.182 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN Viet Nam 64->165 167 157.240.17.35 FACEBOOKUS United States 64->167 173 5 other IPs or domains 64->173 121 C:\Users\user\AppData\Local\...\tjlyphs.exe, PE32 64->121 dropped 123 C:\Users\user\AppData\Local\Temp\...\xriv.exe, PE32 64->123 dropped 125 C:\Users\user\AppData\Local\Temp\...\bmag.exe, PE32 64->125 dropped 127 2 other malicious files 64->127 dropped 243 Detected unpacking (overwrites its own PE header) 64->243 245 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 64->245 251 3 other signatures 64->251 71 bmag.exe 64->71         started        73 Install.exe 64->73         started        76 cmd.exe 64->76         started        78 3 other processes 64->78 file21 signatures22 process23 file24 101 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 66->101 dropped 103 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 66->103 dropped 105 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 66->105 dropped 115 7 other files (6 malicious) 66->115 dropped 80 FRec28.exe 66->80         started        107 C:\Users\user\AppData\Local\Temp\...\nika.exe, PE32 71->107 dropped 109 C:\Users\user\AppData\Local\Temp\...\amaf.exe, PE32 71->109 dropped 84 amaf.exe 71->84         started        111 C:\Users\user\AppData\Local\...\Install.exe, PE32 73->111 dropped 255 Multi AV Scanner detection for dropped file 73->255 113 C:\Windows\SysWOW64\...\tjlyphs.exe (copy), PE32 76->113 dropped 87 conhost.exe 76->87         started        89 conhost.exe 78->89         started        91 conhost.exe 78->91         started        93 conhost.exe 78->93         started        signatures25 process26 dnsIp27 149 45.12.253.56 CMCSUS Germany 80->149 151 45.12.253.72 CMCSUS Germany 80->151 153 45.12.253.75 CMCSUS Germany 80->153 99 C:\Users\user\AppData\Roaming\...\KWEPayp.exe, PE32 80->99 dropped 225 Multi AV Scanner detection for dropped file 84->225 file28 signatures29
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c82a55fdd3caeb95db17754e3ba270ec93a7eb3c9997f9f9c6f02de0e17bacec/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-07-27 20:21:50 UTC
File Type:
PE (Exe)
Extracted files:
35
AV detection:
28 of 39 (71.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zavfl7otzlvzlwyxovhdxitq5sj2p2z4tgl7t6og6aw6byl3vtwa._file
Verdict:
malicious
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:nullmixer family:privateloader family:smokeloader aspackv2 backdoor dropper evasion loader spyware stealer trojan
Link:
https://tria.ge/reports/230208-p87qrsah26/
Behaviour
Checks SCSI registry key(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Looks up external IP address via web service
ASPack v2.12-2.42
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Detects Smokeloader packer
Modifies Windows Defender Real-time Protection settings
NullMixer
PrivateLoader
SmokeLoader
Malware Config
C2 Extraction:
http://marisana.xyz/
Unpacked files
SH256 hash:
5da0d850941091855ce3a6f48447d2873452443282751fe376c104ef65a45efa
MD5 hash:
5df4d842ec44f8e63168ecb7cafd7e42
SHA1 hash:
cba084a866650d9a06d7dd1873f26ad3ba483163
Detections:
win_smokeloader_a2
Create hunting rule
SmokeLoaderStage2
Create hunting rule
Link:
https://www.unpac.me/results/f3ad0739-7191-4fba-85ae-97df890b962b/
Parent samples :
cbe35192c04f83d4d3b179a8c229047ade740aac3785e198cd0fdb00c2bf91e5
00c0934af824603bef01ce8a5d9fcbd0e97432c877d40cade42fdffdfb5175e0
e6ea98b046b11a35efa0ac1243f6190ff4d4247a35784e65a9feaaf4918ae779
c82a55fdd3caeb95db17754e3ba270ec93a7eb3c9997f9f9c6f02de0e17bacec
SH256 hash:
a36e60e83ab774cbe58d3703779244ddfc2e547bf9234cfdafb419e288be1262
MD5 hash:
2094eeaadd9f7cd6ffc5473fab9b426b
SHA1 hash:
21ba549dd2b7a1d1d3762a1e4142b2bf6103abb8
Link:
https://www.unpac.me/results/f3ad0739-7191-4fba-85ae-97df890b962b/
SH256 hash:
2c7607aeadea3ed5a9c4f6c0f25b097d5219b2ed16697cd5bd06407906098569
MD5 hash:
6f7f47269f92b58955a6714ddba7fcd4
SHA1 hash:
e92a5ec35e1900af4849fe54da71abc939b58ab3
Link:
https://www.unpac.me/results/f3ad0739-7191-4fba-85ae-97df890b962b/
SH256 hash:
c9d5525b2f2b76087121039ee1c23ed35508e60f653479722ec64ea3a064878e
MD5 hash:
9108ad5775c76cccbb4eadf02de24f5d
SHA1 hash:
82996bc4f72b3234536d0b58630d5d26bcf904b0
Detections:
PrivateLoader
Create hunting rule
win_privateloader_w0
Create hunting rule
win_privateloader_auto
Create hunting rule
win_privateloader_a0
Create hunting rule
Link:
https://www.unpac.me/results/f3ad0739-7191-4fba-85ae-97df890b962b/
Parent samples :
e6ea98b046b11a35efa0ac1243f6190ff4d4247a35784e65a9feaaf4918ae779
c82a55fdd3caeb95db17754e3ba270ec93a7eb3c9997f9f9c6f02de0e17bacec
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/f3ad0739-7191-4fba-85ae-97df890b962b/
SH256 hash:
3d836309e7e42b4038b05fcbc309d41f824bf52e2f6ad2177f4fc6b1bf1ec09e
MD5 hash:
2ebe42552e2b00d35a7a6538b7ab904e
SHA1 hash:
9fd634efbc415cc2f592618bef1235b8b4df1b9e
Link:
https://www.unpac.me/results/f3ad0739-7191-4fba-85ae-97df890b962b/
SH256 hash:
c82a55fdd3caeb95db17754e3ba270ec93a7eb3c9997f9f9c6f02de0e17bacec
MD5 hash:
78cc2004a61a5f5bd968bc7449a6e41d
SHA1 hash:
5d68410afdd470c5d076b6de46c3b2eeee953be1
Link:
https://www.unpac.me/results/f3ad0739-7191-4fba-85ae-97df890b962b/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c82a55fdd3ca/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c82a55fdd3caeb95db17754e3ba270ec93a7eb3c9997f9f9c6f02de0e17bacec

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/361968/

Comments